[NEW] Patches Core to allow attachment access from portal users

apply_patches.sh

@@ -35,6 +35,7 @@ pt_core ()
     pushd $DEST
     git apply $OPTIONS $SRC/patches/20210603_auth-oauth_redirects-to-root.patch
     git apply $OPTIONS $SRC/patches/20220131_purchase-requisition_match-variant.patch    
+    git apply $OPTIONS $SRC/patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch
     # Reverted in https://github.com/odoo/odoo/commit/8d1d62a8c0746abb30f97290304b761f74111a89:
     #git apply $OPTIONS $SRC/patches/20220204_mail_re-enables-buttons-in-notifications.patch
     popd

patches/20230206_ir-attachment_allow-portal-users-attachment-access.patch

@@ -0,0 +1,16 @@
+diff --git a/odoo/addons/base/models/ir_attachment.py b/odoo/addons/base/models/ir_attachment.py
+index f1d8701a1..0f7926756 100644
+--- a/odoo/addons/base/models/ir_attachment.py
++++ b/odoo/addons/base/models/ir_attachment.py
+@@ -417,7 +417,10 @@ class IrAttachment(models.Model):
+             return True
+         # Always require an internal user (aka, employee) to access to a attachment
+         if not (self.env.is_admin() or self.env.user.has_group('base.group_user')):
+-            raise AccessError(_("Sorry, you are not allowed to access this document."))
++            res_models = ['account.move', 'stock.picking']
++            if not self.res_model or not self.res_id or self.res_model not in res_models:
++                raise AccessError(_("Sorry, you are not allowed to access this document."))
++            self.env[self.res_model].browse(self.res_id).check_access_rule('read')
+         # collect the records to check (by model)
+         model_ids = defaultdict(set)            # {model_name: set(ids)}
+         if self: